csr: support basic constraints -> IsCA from CSR

rustls · Oct 3, 2023 · ae702ea · ae702ea
1 parent e8348ab
commit ae702ea
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/src/csr.rs b/src/csr.rs
@@ -4,7 +4,10 @@ use crate::{CustomExtension, DistinguishedName, SanType};
 use pem::Pem;
 use std::hash::Hash;
 
-use crate::{Certificate, CertificateParams, PublicKeyData, RcgenError, SignatureAlgorithm};
+use crate::{
+	BasicConstraints, Certificate, CertificateParams, IsCa, PublicKeyData, RcgenError,
+	SignatureAlgorithm,
+};
 
 /// A public key, extracted from a CSR
 #[derive(Debug, PartialEq, Eq, Hash)]
@@ -101,6 +104,20 @@ impl CertificateSigningRequest {
 						params.key_identifier = ski.0.to_vec();
 						true
 					},
+					x509_parser::extensions::ParsedExtension::BasicConstraints(bc) => {
+						params.is_ca = match (bc.ca, bc.path_len_constraint) {
+							(false, _) => IsCa::ExplicitNoCa,
+							(true, None) => IsCa::Ca(BasicConstraints::Unconstrained),
+							(true, Some(len_constraint)) => {
+								IsCa::Ca(BasicConstraints::Constrained(
+									len_constraint.try_into().map_err(|_| {
+										RcgenError::UnsupportedBasicConstraintsPathLen
+									})?,
+								))
+							},
+						};
+						true
+					},
 					_ => false,
 				};
 				if !supported {
@@ -114,7 +131,6 @@ impl CertificateSigningRequest {
 		}
 
 		// Not yet handled:
-		// * is_ca
 		// * extended_key_usages
 		// * name_constraints
 		// and any other extensions.

diff --git a/src/error.rs b/src/error.rs
@@ -39,6 +39,9 @@ pub enum RcgenError {
 	RingUnspecified,
 	/// Time conversion related errors
 	Time,
+	/// Unsupported basic constraints extension path length in CSR
+	#[cfg(feature = "x509-parser")]
+	UnsupportedBasicConstraintsPathLen,
 	/// Unsupported extension requested in CSR
 	#[cfg(feature = "x509-parser")]
 	UnsupportedExtension,
@@ -97,6 +100,11 @@ impl fmt::Display for RcgenError {
 			DuplicateExtension(oid) => {
 				write!(f, "Extension with OID {oid} present multiple times")?
 			},
+			#[cfg(feature = "x509-parser")]
+			UnsupportedBasicConstraintsPathLen => write!(
+				f,
+				"Unsupported basic constraints extension path length constraint in CSR"
+			)?,
 		};
 		Ok(())
 	}